Ransomware Remains a Dominant Threat to Enterprises in 2022

This blog was originally published by BitSight here.

Written by Marc Saltzman, Technology Journalist & Podcast Host of Tech It Out.

What the disturbing trend means for your organization and third-party vendors

As we start a new calendar year –nearly 24 months since the global pandemic started – ransomware continues to be one of the most significant threats to organizations worldwide.

Not only has the frequency of ransomware attacks nearly doubled (93 percent) during 2021 compared to the year prior, according to a cybersecurity report published by Check Point, but the dollar amount that cybercriminals are extorting is also on the rise.

Daily headlines confirm the massive disruptions caused by cyberattacks have affected government agencies, companies big and small, and even supply chains for essential goods such as gasoline, meat and medical supplies.

There are several reasons for this trend, suggests BitSight’s CTO and co-founder Stephen Boyer, resulting in a “perfect storm,” of cyber attacks..

Why ransomware is bigger than ever

“First, let’s acknowledge that ransomware has been a threat for a long time. Five years ago we published an article titled The Rising Face of Cybercrime: Ransomware to draw attention to the problem, and we continue to see this type of threat increase.” starts Boyer.

“But the accelerant is the ability to monetize ransomware through cryptocurrencies such as Bitcoin, which has made the task much easier for cybercriminals as ransom payments are harder to track. This coupled with rushed digital adoption and transformation of organizations, results in a larger attack surface,” continues Boyer.

In addition, employees are becoming more distributed geographically, adds Boyer, with more remote home-based work setups, where security controls are not as strong as within the organization. This new model of remote and hybrid work invites more targeted attacks.

Cyber insurance has become a “security plan” for businesses. If an organization has cyber insurance, then the organization is covered against losses stemming from cyber attacks. The ransom can be paid, order and assets/ information restored and all can continue – Right? “Oftentimes, cyber insurance makes matters worse because attackers now know that you have the means to pay out the ransom and will target you because of that., This cycle then finances the next wave of ransomware.”

So, this begs the obvious question: What can be done to prevent ransomware attacks on an organization in the first place? This is an even more prudent discussion for enterprises companies that face risk through their third-party vendors and supply chain networks.

Acknowledging Third-Party Risk

“Third-party supply chain is where things get complicated,” continues Boyer. “Many of these organizations are pretty sophisticated and keep their digital systems up to date by investing in high-level security, but what they just can’t control as much is the cyber hygiene of the third-party ecosystem.”

Companies depend on third-parties for key services, such as marketing, payroll processing and IT infrastructure, but how secure are these products and services? “This is where you have less visibility and control,” says Boyer.

Driving risk reduction

“With the growth of digital supply chains that all companies are building, ransomware attacks targeting third parties are becoming a bigger issue and causing massive business disruption across all industries,” says Anders Norremo, CEO of ThirdPartyTrust.

Aaron Kirkpatrick, Chief Information Security Officer at Venminder, mirrors Norremo’s assessment: “Risks posed by ransomware attacks on your third parties are high [as] vendors are a more enticing target for cyber criminals. This is because vendors store information from multiple organizations and often are not assessed , audited or held to the same level of cyber hygiene their clients, especially in regulated environments.”

Kirkpatrick says organizations need to ensure they’re doing their initial “due diligence” and continuous monitoring of vendors appropriate to the level of risk that the vendor poses; Venminder assesses what security controls the vendor says they have in place, while security rating services assess how they have implemented those controls on their externally-facing infrastructure.

“Even with effective third-party risk management activities, vendors may not inform their clients of an attack either due to not knowing themselves yet, or from fear of reputational damage and legal action against them,” advises Kirkpatrick. “This has caused some ransomware attackers to blackmail the individuals or organizations whose data they’ve collected from the vendor directly.”

“In many cases there are signs a third-party is vulnerable to an attack, and so it’s important to utilize automation as much as possible to generate issues and raise risks immediately for a timely and appropriate response,” says Vasant Balasubramanian, VP and GM of Risk at ServiceNow.

Grading an organization’s ‘patching cadence’

By studying thousands of varying ransomware incidents, BitSight CTO and co-founder, Stephen Boyer says you begin to see a pattern emerge: organizations that don’t have their systems up-to-date -- meaning they're not applying the latest patches in a reasonable timeframe – are 7 times more likely to have a ransomware incident than an organization who is keeping their systems up to date.

It’s important to measure an organization’s “patching cadence” by looking at the presence and duration of vulnerabilities observed on a company’s external-facing digital infrastructure. Not surprisingly, poor performance on patch management is highly correlated with ransomware risk.

Todd Boehler, Senior Vice President of Strategy at ProcessUnity, agrees ransomware attacks on your third parties can become attacks on you, “making it mission-critical that you gain visibility into third party risks.”

“You must understand your vendor’s cybersecurity practices, policies and controls, validate that these standards are upheld throughout the relationship, assign owners to establish cybersecurity accountability throughout the supply chain and raise issues as needed, ahead of security incidents,” says Boehler. “Periodic assessments and ongoing monitoring ensure potential risk is identified and mitigated throughout the relationship.”

Stay Ahead of Ransomware

In order to fight back against the growing threat of ransomware, we suggest incorporating leading indicators of ransomware into your vendor risk management workflows via integrators, take a prioritized view to help your team focus on the highest cyber risks, in order to mitigate them, and work with your vendors, to create mutual accountability, which can translate into a more holistic resilience against risks such as ransomware.